This document is part of the US-CERT website archive. These documents are no longer updated and may contain outdated information. Links may also no longer function. Please contact info@us-cert.gov if you have any questions about the US-CERT website archive.

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0

Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9

Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

This bulletin
provides a summary of new or updated vulnerabilities, exploits, trends, viruses,
and trojans identified between September 13 and September 20, 2004. Updates to items appearing in previous bulletins are listed in
bold text. The text in the Risk column appears in red for vulnerabilities
ranking High. The risks levels applied to
vulnerabilities in the Cyber Security Bulletin are based on how the "system" may
be impacted. The Recent Exploit/Technique table contains a "Workaround or Patch
Available" column that indicates whether a workaround or patch has been
published for the vulnerability which the script exploits.

Bugs, Holes,
& Patches

The table below summarizes vulnerabilities
that have been identified, even if they are not being exploited. Complete
details about patches or workarounds are available from the source of the
information or from the URL provided in the section. CVE numbers are listed
where applicable. Vulnerabilities that affect both Windows and
Unix Operating Systems are included in the Multiple Operating
Systems section.

Note: All the information included in the following tables
has been discussed in newsgroups and on web sites.

The Risk levels
defined below are based on how the system may be impacted:

High - A
high-risk vulnerability is defined as one that will allow an intruder to
immediately gain privileged access (e.g., sysadmin or root) to the system or
allow an intruder to execute code or alter arbitrary system files. An example
of a high-risk vulnerability is one that allows an unauthorized user to send a
sequence of instructions to a machine and the machine responds with a command
prompt with administrator privileges.

Medium - A
medium-risk vulnerability is defined as one that will allow an intruder
immediate access to a system with less than privileged access. Such
vulnerability will allow the intruder the opportunity to continue the attempt
to gain privileged access. An example of medium-risk vulnerability is a server
configuration error that allows an intruder to capture the password
file.

Low - A
low-risk vulnerability is defined as one that will provide information to an
intruder that could lead to further compromise attempts or a Denial of Service
(DoS) attack. It should be noted that while the DoS attack is deemed low from
a threat potential, the frequency of this type of attack is very high. DoS
attacks against mission-critical nodes are not included in this rating and any
attack of this nature should instead be considered to be a "High"
threat.

Windows Operating Systems Only

Vendor &
Software Name

Vulnerability
- ImpactPatches - WorkaroundsAttacks Scripts

Common
Name

Risk

Source

Google

Toolbar 1.1.41-1.1.49, 1.1.53-1.1.60, 2.0.114.1

An input validation vulnerability exists in the 'About' section of the
Google Toolbar due to insufficient filtering of HTML code, which could let
a remote malicious user execute arbitrary HTML and JavaScript code.

No workaround or patch available at time of
publishing.

A Proof of Concept exploit script has been published.

Google Toolbar Input Validation

High

Bugtraq, September 17, 2004

IBM

Microsoft Windows XP SP1 OEM Version,

Microsoft Windows XP OEM
Version

A vulnerability exists due to a default hidden administrative account
that fails to set a password, which could let a malicious user obtain
administrative access.

No workaround or patch available at time of
publishing.

There is no exploit code required; however, a Proof of Concept exploit
has been published.

IBM OEM Microsoft Windows Default Administrative
Account

High

SECNAP Advisory, September 15, 2004

McAfee

VirusScan 4.5, 4.5.1

A vulnerability exists in 'System Scan' via the system tray applet due
to the failure to drop privileges, which could let a malicious user
execute arbitrary code.

This issue has reportedly been addressed by the vendor in Patch 48,
which may be obtained by customers with a valid contract grant number
through McAfee Corporate Technical Support.

There is no exploit code required.

McAfee VirusScan Arbitrary Code Execution

High

iDEFENSE Security Advisory, September 15, 2004

Microsoft

Windows CE 2.0, 3.0, 4.2

A vulnerability exists in the kernel memory structure KDataStruct,
which could let a malicious user obtain sensitive information.

Two vulnerabilities exist: a Denial of Service vulnerability exists
due to an error when processing incoming traffic; and a Cross-Site
Scripting vulnerability exists due to insufficient sanitization of
user-supplied URI input, which could let a remote malicious user execute
arbitrary HTML and script code.

No workaround or patch available at time of
publishing.

There is no exploit code required; however, a Proof of Concept exploit
has been published for the Cross-Site Scripting vulnerability.

A vulnerability exists in the 'pdesk.cgi' software due to insufficient
validation of the 'lang' parameter, which could let a malicious user
obtain sensitive information.

No workaround or patch available at time of
publishing.

There is no exploit code required; however, Proof of Concept exploit
has been published.

PerlDesk 'lang' Parameter Input Validation

Medium

SecurityTracker Alert ID, 1011276, September 15, 2004

MacOSXLabs

RsyncX 2.1

Two vulnerabilities exist: a vulnerability exists due to a failure to
drop 'wheel' group privileges, which could let a malicious user execute
arbitrary programs; and a vulnerability exists in '/tmp/cron_rsyncxtmp'
because the temporary file is created insecurely, which could let a
malicious user obtain elevated privileges.

A buffer overflow vulnerability exists in the apr-util library's IPv6
URIparsing functionality due to insufficient validation, which could
let a remote malicious user execute arbitrary code. Note: On Linux
based Unix variants this issue can only be exploited to trigger a Denial
of Service condition.

Multiple double-free vulnerabilities exist due to inconsistent memory
handling routines in the krb5 library: various double-free errors exist in
the KDC (Key Distribution Center) cleanup code and in client libraries,
which could let a remote malicious user execute arbitrary code; various
double-free errors exist in the 'krb5_rd_cred()' function, which could let
a remote malicious user execute arbitrary code; a double-free
vulnerability exists in krb524d, which could let a remote malicious user
execute arbitrary code; and a vulnerability exists in ASN.1 decoder when
handling indefinite length BER encodings, which could let a remote
malicious user cause a Denial of Service.

Multiple buffer overflow vulnerabilities exist in the Iimlib/Imlib2
libraries when handling malformed bitmap images, which could let a remote
malicious user cause a Denial of Service or execute arbitrary code.

Multiple vulnerabilities exist: a vulnerability exists when decoding
BMP images, which could let a remote malicious user cause a Denial of
Service; a vulnerability exists when decoding XPM images, which could let
a remote malicious user cause a Denial of Service or execute arbitrary
code; and a vulnerability exists when attempting to decode ICO images,
which could let a remote malicious user cause a Denial of Service.

Multiple vulnerabilities exist: a stack overflow exists in
'xpmParseColors()' in 'parse.c' when a specially crafted XPMv1 and XPMv2/3
file is submitted, which could let a remote malicious user execute
arbitrary code; a stack overflow vulnerability exists in the
'ParseAndPutPixels()' function in -create.c' when reading pixel values,
which could let a remote malicious user execute arbitrary code; and an
integer overflow vulnerability exists in the colorTable allocation in
'xpmParseColors()' in 'parse.c,' which could let a remote malicious user
execute arbitrary code.

Several vulnerabilities exist: a remote Denial of Service
vulnerability exists in the 'process_logon_packet()' function due to
insufficient validation of 'SAM_UAS_CHANGE' request packets; and a remote
Denial of Service vulnerability exists when a malicious user submits a
malformed packet to a target 'smbd' server.

A Denial of Service vulnerability exists in
SpamAssassin. A a remote user can send an e-mail message with specially
crafted headers to cause a Denial of Service attack against the
SpamAssassin service.

A vulnerability exists due to insufficient validation of
symboliclinks when sudoedit ("sudo -u" option) copies temporary files,
which could let a malicious user access the contents of arbitrary files
with superuser privileges.

Two vulnerabilities exist: a vulnerability exists because some security
checks are performed on the client-side and not on the server-side, which
could let an authenticated remote malicious user delete arbitrary
documents; and a Cross-Site Scripting vulnerability exists due to
insufficient sanitization of user-supplied input when uploading documents,
which could let a remote malicious user execute arbitrary HTML and script
code.

The vendor has released patches dealing with this issue. Users are
recommended to contact the vendor for patch and update availability.

A buffer overflow vulnerability exists in the Netscape Network
Security Services (NSS) library suite due to insufficient boundary checks,
which could let a remote malicious user which may result in remote execute
arbitrary code.

A Cross-Site Scripting vulnerability exists in 'transforms.php' due to
insufficient sanitization of user-supplied URI input, which could let a
remote malicious user execute arbitrary HTML and script code.

Several vulnerabilities exist: a vulnerability exists due to a failure
to properly validate access to administrative commands, which could let a
remote malicious user execute arbitrary commands; and a Cross-Site
Scripting vulnerability exists in the 'YaBB.pl' script, which could let a
remote malicious user execute arbitrary HTML and script code.

Recent
Exploit Scripts/Techniques

The table below
contains a sample of exploit scripts and "how to" guides identified during this
period. The "Workaround or Patch Available" column indicates if vendors,
security vulnerability listservs, or Computer Emergency Response Teams (CERTs)
have published workarounds or patches.

Note: At times,
scripts/techniques may contain names or content that may be considered
offensive.

Date of
Exploit(Reverse Chronological
Order)

Script
or Exploit Name

Workaround or Patch Available

Description

September 21, 2004

advisory-05-glFTPd.txt

No

Proof of concept exploit for the local stack overflow vulnerability in
the dupescan binary from glFTPd versions 2.00RC3 and below.

September 21, 2004

ettercap-NG-0.7.1.tar.gz

N/A

Ettercap NG is a network sniffer/interceptor/logger for switched LANs.
It uses ARP poisoning and the man-in-the-middle technique to sniff all the
connections between two hosts.

September 21, 2004

mambo45.jose.txt

Yes

Mambo versions 4.5 and below are susceptible to cross site scripting
and remote command execution flaws.

CDRTools is reportedly vulnerable to an RSH environment variable
privilege escalation vulnerability. This issue is due to a failure of the
application to properly implement security controls when executing an
application specified by the RSH environment variable.

September 15, 2004

challenges.tgz

N/A

This package contains example vulnerable C programs. There are
examples of buffer overflows (stack and heap) and format string
vulnerabilities. All examples are exploitable with a standard linux/x86
environment.

September 15, 2004

fwknop-0.4.1.tar.gz

N/A

fwknop is a flexible port knocking implementation that is based around
iptables. Both shared knock sequences and encrypted knock sequences are
supported.

September 15, 2004

myServer07.txt

Yes

myServer version 0.7 is susceptible to a simple directory traversal
attack.

September 15, 2004

netw-ib-ox-ag-5.24.0.tgz

N/A

Netwox is a utility that supports various protocols (DNS, FTP, HTTP,
NNTP, SMTP, SNMP) and performs low level functions like sniffing, spoofing
traffic, and playing client/server roles. Both Windows and Unix versions
are included.

September 15, 2004

None

Yes

Proof of concept vulnerability for the vulnerability in the Mozilla
'enablePrivilege' method.

September 15, 2004

None

Yes

Proof of concept exploit for the vulnerability in Mozilla and Firefox
browsers that could permit a remote site to gain access to contents of the
client user's clipboard.

September 15, 2004

pizzaicmp.c

N/A

ICMP-based triggered Linux kernel module that executes a local binary
upon successful use.

September 15, 2004

Rx.exe

Yes

A small universal Windows reverse shell for all versions of Windows
NT/2K/XP/2003 with any service pack.

Trends

Several
vulnerabilities exist in the Mozilla web browser and derived products, the
most serious of which could allow a remote attacker to execute arbitrary code
on an affected system. Mozilla has released versions of the affected software
that contain patches for these issues: Mozilla 1.7.3, Firefox Preview Release,
Thunderbird 0.8. Users are strongly encouraged to upgrade to one of these
versions: www.mozilla.org. For more
information, see US-CERT Technical
Cyber Security Alert TA04-261A: Multiple vulnerabilities in Mozilla products.
Available at: http://www.uscert.gov/cas/techalerts/TA04-261A.html

The volume of worms and viruses is increasing, but the rate
of successful attacks has dropped, according to a new report from Symantec.
The antivirus company's biannual Internet Security Threat Report found that
4,496 new Windows viruses and worms were released between January and June, up
more than 4.5 times from same period last year. But overall the daily volume
of actual attacks decreased in the first six months of 2004. Alfred Huger, a
senior director at Symantec's Security Response team said malicious code
writers were increasingly going to spammers to sell them access to the
computers that they hack, or break into. Spammers, after paying the hackers,
then flood those hacked computers with unsolicited messages or spam. Symantec
also said it expects more viruses and worms in the future to be written to
attack systems that run on the Linux operating system and hand-held devices as
they become more widely used. The report also noted that the rate at which
personal computers are being hijacked by hackers rocketed in the first half of
2004. An average of 30,000 computers per day were turned into enslaved
“zombies”, compared with just 2000 per day in 2003. Report: http://enterprisesecurity.symantec.com/content.cfm?articleid
=1539 (CNET
News.com, September 20, 2004)

Viruses/Trojans

Top Ten Virus
Threats

A list of high threat
viruses, as reported to various anti-virus vendors and virus incident reporting
organizations, has been ranked and categorized in the table below. For the
purposes of collecting and collating data, infections involving multiple systems
at a single location are considered a single infection. It is therefore possible
that a virus has infected hundreds of machines but has only been counted once.
With the number of viruses that appear each month, it is possible that a new
virus will become widely distributed before the next edition of this
publication. To limit the possibility of infection, readers are reminded to
update their anti-virus packages as soon as updates become available. The table
lists the viruses by ranking (number of sites affected), common virus name, type
of virus code (i.e., boot, file, macro, multi-partite, script), trends (based on
number of infections reported during the latest three months), and approximate
date first found.

Rank

Common
Name

Type
of Code

Trends

Date

1

Netsky-P

Win32 Worm

Stable

March 2004

2

Zafi-B

Win32 Worm

Stable

June 2004

3

Netsky-Z

Win32 Worm

Stable

April 2004

4

Netsky-D

Win32 Worm

Stable

March 2004

5

Netsky-B

Win32 Worm

Stable

February 2004

6

Mydoom.m

Win32 Worm

Increase

July 2004

7

Mydoom.q

Win32 Worm

Slight Decrease

August 2004

8

Bagle-AA

Win32 Worm

Slight Decrease

April 2004

9

Netsky-Q

Win32 Worm

Stable

March 2004

10

MyDoom-O

Win32 Worm

Decrease

July 2004

Top Ten Table Updated September 17, 2004

Viruses or Trojans Considered to be a High Level of
Threat

Troj/IBank-A: Sophos is warning computer users about a
Trojan horse that helps hackers break into the bank accounts of customers of
an Australian bank. The Troj/IBank-A Trojan horse is designed to steal
information from Internet customers of the National Australia Bank, which
could allow hackers to break into accounts and steal substantial amounts of
money. Although this particular Trojan horses only targets users of an
Australian bank, Sophos warns that others have been seen which affect banking
customers in other parts of the world.

The following table provides, in
alphabetical order, a list of new viruses, variations of previously encountered
viruses, and Trojans that have been discovered during the period covered by this
bulletin. This information has been compiled from the following anti-virus
vendors: Sophos, Trend Micro, Symantec, McAfee, Network Associates, Central
Command, F-Secure, Kaspersky Labs, MessageLabs, Panda Software, Computer
Associates, and The WildList Organization International. Users should keep
anti-virus software up to date and should contact their anti-virus vendors to
obtain specific information on the Trojans and Trojan variants that anti-virus
software detects.

NOTE: At times, viruses and
Trojans may contain names or content that may be considered offensive.

This bulletin
provides a summary of new or updated vulnerabilities, exploits, trends, viruses,
and trojans identified between September 13 and September 20, 2004. Updates to items appearing in previous bulletins are listed in
bold text. The text in the Risk column appears in red for vulnerabilities
ranking High. The risks levels applied to
vulnerabilities in the Cyber Security Bulletin are based on how the "system" may
be impacted. The Recent Exploit/Technique table contains a "Workaround or Patch
Available" column that indicates whether a workaround or patch has been
published for the vulnerability which the script exploits.

Bugs, Holes,
& Patches

The table below summarizes vulnerabilities
that have been identified, even if they are not being exploited. Complete
details about patches or workarounds are available from the source of the
information or from the URL provided in the section. CVE numbers are listed
where applicable. Vulnerabilities that affect both Windows and
Unix Operating Systems are included in the Multiple Operating
Systems section.

Note: All the information included in the following tables
has been discussed in newsgroups and on web sites.

The Risk levels
defined below are based on how the system may be impacted:

High - A
high-risk vulnerability is defined as one that will allow an intruder to
immediately gain privileged access (e.g., sysadmin or root) to the system or
allow an intruder to execute code or alter arbitrary system files. An example
of a high-risk vulnerability is one that allows an unauthorized user to send a
sequence of instructions to a machine and the machine responds with a command
prompt with administrator privileges.

Medium - A
medium-risk vulnerability is defined as one that will allow an intruder
immediate access to a system with less than privileged access. Such
vulnerability will allow the intruder the opportunity to continue the attempt
to gain privileged access. An example of medium-risk vulnerability is a server
configuration error that allows an intruder to capture the password
file.

Low - A
low-risk vulnerability is defined as one that will provide information to an
intruder that could lead to further compromise attempts or a Denial of Service
(DoS) attack. It should be noted that while the DoS attack is deemed low from
a threat potential, the frequency of this type of attack is very high. DoS
attacks against mission-critical nodes are not included in this rating and any
attack of this nature should instead be considered to be a "High"
threat.

Windows Operating Systems Only

Vendor &
Software Name

Vulnerability
- ImpactPatches - WorkaroundsAttacks Scripts

Common
Name

Risk

Source

Google

Toolbar 1.1.41-1.1.49, 1.1.53-1.1.60, 2.0.114.1

An input validation vulnerability exists in the 'About' section of the
Google Toolbar due to insufficient filtering of HTML code, which could let
a remote malicious user execute arbitrary HTML and JavaScript code.

No workaround or patch available at time of
publishing.

A Proof of Concept exploit script has been published.

Google Toolbar Input Validation

High

Bugtraq, September 17, 2004

IBM

Microsoft Windows XP SP1 OEM Version,

Microsoft Windows XP OEM
Version

A vulnerability exists due to a default hidden administrative account
that fails to set a password, which could let a malicious user obtain
administrative access.

No workaround or patch available at time of
publishing.

There is no exploit code required; however, a Proof of Concept exploit
has been published.

IBM OEM Microsoft Windows Default Administrative
Account

High

SECNAP Advisory, September 15, 2004

McAfee

VirusScan 4.5, 4.5.1

A vulnerability exists in 'System Scan' via the system tray applet due
to the failure to drop privileges, which could let a malicious user
execute arbitrary code.

This issue has reportedly been addressed by the vendor in Patch 48,
which may be obtained by customers with a valid contract grant number
through McAfee Corporate Technical Support.

There is no exploit code required.

McAfee VirusScan Arbitrary Code Execution

High

iDEFENSE Security Advisory, September 15, 2004

Microsoft

Windows CE 2.0, 3.0, 4.2

A vulnerability exists in the kernel memory structure KDataStruct,
which could let a malicious user obtain sensitive information.

Two vulnerabilities exist: a Denial of Service vulnerability exists
due to an error when processing incoming traffic; and a Cross-Site
Scripting vulnerability exists due to insufficient sanitization of
user-supplied URI input, which could let a remote malicious user execute
arbitrary HTML and script code.

No workaround or patch available at time of
publishing.

There is no exploit code required; however, a Proof of Concept exploit
has been published for the Cross-Site Scripting vulnerability.

A vulnerability exists in the 'pdesk.cgi' software due to insufficient
validation of the 'lang' parameter, which could let a malicious user
obtain sensitive information.

No workaround or patch available at time of
publishing.

There is no exploit code required; however, Proof of Concept exploit
has been published.

PerlDesk 'lang' Parameter Input Validation

Medium

SecurityTracker Alert ID, 1011276, September 15, 2004

MacOSXLabs

RsyncX 2.1

Two vulnerabilities exist: a vulnerability exists due to a failure to
drop 'wheel' group privileges, which could let a malicious user execute
arbitrary programs; and a vulnerability exists in '/tmp/cron_rsyncxtmp'
because the temporary file is created insecurely, which could let a
malicious user obtain elevated privileges.

A buffer overflow vulnerability exists in the apr-util library's IPv6
URIparsing functionality due to insufficient validation, which could
let a remote malicious user execute arbitrary code. Note: On Linux
based Unix variants this issue can only be exploited to trigger a Denial
of Service condition.

Multiple double-free vulnerabilities exist due to inconsistent memory
handling routines in the krb5 library: various double-free errors exist in
the KDC (Key Distribution Center) cleanup code and in client libraries,
which could let a remote malicious user execute arbitrary code; various
double-free errors exist in the 'krb5_rd_cred()' function, which could let
a remote malicious user execute arbitrary code; a double-free
vulnerability exists in krb524d, which could let a remote malicious user
execute arbitrary code; and a vulnerability exists in ASN.1 decoder when
handling indefinite length BER encodings, which could let a remote
malicious user cause a Denial of Service.

Multiple buffer overflow vulnerabilities exist in the Iimlib/Imlib2
libraries when handling malformed bitmap images, which could let a remote
malicious user cause a Denial of Service or execute arbitrary code.

Multiple vulnerabilities exist: a vulnerability exists when decoding
BMP images, which could let a remote malicious user cause a Denial of
Service; a vulnerability exists when decoding XPM images, which could let
a remote malicious user cause a Denial of Service or execute arbitrary
code; and a vulnerability exists when attempting to decode ICO images,
which could let a remote malicious user cause a Denial of Service.

Multiple vulnerabilities exist: a stack overflow exists in
'xpmParseColors()' in 'parse.c' when a specially crafted XPMv1 and XPMv2/3
file is submitted, which could let a remote malicious user execute
arbitrary code; a stack overflow vulnerability exists in the
'ParseAndPutPixels()' function in -create.c' when reading pixel values,
which could let a remote malicious user execute arbitrary code; and an
integer overflow vulnerability exists in the colorTable allocation in
'xpmParseColors()' in 'parse.c,' which could let a remote malicious user
execute arbitrary code.

Several vulnerabilities exist: a remote Denial of Service
vulnerability exists in the 'process_logon_packet()' function due to
insufficient validation of 'SAM_UAS_CHANGE' request packets; and a remote
Denial of Service vulnerability exists when a malicious user submits a
malformed packet to a target 'smbd' server.

A Denial of Service vulnerability exists in
SpamAssassin. A a remote user can send an e-mail message with specially
crafted headers to cause a Denial of Service attack against the
SpamAssassin service.

A vulnerability exists due to insufficient validation of
symboliclinks when sudoedit ("sudo -u" option) copies temporary files,
which could let a malicious user access the contents of arbitrary files
with superuser privileges.

Two vulnerabilities exist: a vulnerability exists because some security
checks are performed on the client-side and not on the server-side, which
could let an authenticated remote malicious user delete arbitrary
documents; and a Cross-Site Scripting vulnerability exists due to
insufficient sanitization of user-supplied input when uploading documents,
which could let a remote malicious user execute arbitrary HTML and script
code.

The vendor has released patches dealing with this issue. Users are
recommended to contact the vendor for patch and update availability.

A buffer overflow vulnerability exists in the Netscape Network
Security Services (NSS) library suite due to insufficient boundary checks,
which could let a remote malicious user which may result in remote execute
arbitrary code.

A Cross-Site Scripting vulnerability exists in 'transforms.php' due to
insufficient sanitization of user-supplied URI input, which could let a
remote malicious user execute arbitrary HTML and script code.

Several vulnerabilities exist: a vulnerability exists due to a failure
to properly validate access to administrative commands, which could let a
remote malicious user execute arbitrary commands; and a Cross-Site
Scripting vulnerability exists in the 'YaBB.pl' script, which could let a
remote malicious user execute arbitrary HTML and script code.

Recent
Exploit Scripts/Techniques

The table below
contains a sample of exploit scripts and "how to" guides identified during this
period. The "Workaround or Patch Available" column indicates if vendors,
security vulnerability listservs, or Computer Emergency Response Teams (CERTs)
have published workarounds or patches.

Note: At times,
scripts/techniques may contain names or content that may be considered
offensive.

Date of
Exploit(Reverse Chronological
Order)

Script
or Exploit Name

Workaround or Patch Available

Description

September 21, 2004

advisory-05-glFTPd.txt

No

Proof of concept exploit for the local stack overflow vulnerability in
the dupescan binary from glFTPd versions 2.00RC3 and below.

September 21, 2004

ettercap-NG-0.7.1.tar.gz

N/A

Ettercap NG is a network sniffer/interceptor/logger for switched LANs.
It uses ARP poisoning and the man-in-the-middle technique to sniff all the
connections between two hosts.

September 21, 2004

mambo45.jose.txt

Yes

Mambo versions 4.5 and below are susceptible to cross site scripting
and remote command execution flaws.

CDRTools is reportedly vulnerable to an RSH environment variable
privilege escalation vulnerability. This issue is due to a failure of the
application to properly implement security controls when executing an
application specified by the RSH environment variable.

September 15, 2004

challenges.tgz

N/A

This package contains example vulnerable C programs. There are
examples of buffer overflows (stack and heap) and format string
vulnerabilities. All examples are exploitable with a standard linux/x86
environment.

September 15, 2004

fwknop-0.4.1.tar.gz

N/A

fwknop is a flexible port knocking implementation that is based around
iptables. Both shared knock sequences and encrypted knock sequences are
supported.

September 15, 2004

myServer07.txt

Yes

myServer version 0.7 is susceptible to a simple directory traversal
attack.

September 15, 2004

netw-ib-ox-ag-5.24.0.tgz

N/A

Netwox is a utility that supports various protocols (DNS, FTP, HTTP,
NNTP, SMTP, SNMP) and performs low level functions like sniffing, spoofing
traffic, and playing client/server roles. Both Windows and Unix versions
are included.

September 15, 2004

None

Yes

Proof of concept vulnerability for the vulnerability in the Mozilla
'enablePrivilege' method.

September 15, 2004

None

Yes

Proof of concept exploit for the vulnerability in Mozilla and Firefox
browsers that could permit a remote site to gain access to contents of the
client user's clipboard.

September 15, 2004

pizzaicmp.c

N/A

ICMP-based triggered Linux kernel module that executes a local binary
upon successful use.

September 15, 2004

Rx.exe

Yes

A small universal Windows reverse shell for all versions of Windows
NT/2K/XP/2003 with any service pack.

Trends

Several
vulnerabilities exist in the Mozilla web browser and derived products, the
most serious of which could allow a remote attacker to execute arbitrary code
on an affected system. Mozilla has released versions of the affected software
that contain patches for these issues: Mozilla 1.7.3, Firefox Preview Release,
Thunderbird 0.8. Users are strongly encouraged to upgrade to one of these
versions: www.mozilla.org. For more
information, see US-CERT Technical
Cyber Security Alert TA04-261A: Multiple vulnerabilities in Mozilla products.
Available at: http://www.uscert.gov/cas/techalerts/TA04-261A.html

The volume of worms and viruses is increasing, but the rate
of successful attacks has dropped, according to a new report from Symantec.
The antivirus company's biannual Internet Security Threat Report found that
4,496 new Windows viruses and worms were released between January and June, up
more than 4.5 times from same period last year. But overall the daily volume
of actual attacks decreased in the first six months of 2004. Alfred Huger, a
senior director at Symantec's Security Response team said malicious code
writers were increasingly going to spammers to sell them access to the
computers that they hack, or break into. Spammers, after paying the hackers,
then flood those hacked computers with unsolicited messages or spam. Symantec
also said it expects more viruses and worms in the future to be written to
attack systems that run on the Linux operating system and hand-held devices as
they become more widely used. The report also noted that the rate at which
personal computers are being hijacked by hackers rocketed in the first half of
2004. An average of 30,000 computers per day were turned into enslaved
“zombies”, compared with just 2000 per day in 2003. Report: http://enterprisesecurity.symantec.com/content.cfm?articleid
=1539 (CNET
News.com, September 20, 2004)

Viruses/Trojans

Top Ten Virus
Threats

A list of high threat
viruses, as reported to various anti-virus vendors and virus incident reporting
organizations, has been ranked and categorized in the table below. For the
purposes of collecting and collating data, infections involving multiple systems
at a single location are considered a single infection. It is therefore possible
that a virus has infected hundreds of machines but has only been counted once.
With the number of viruses that appear each month, it is possible that a new
virus will become widely distributed before the next edition of this
publication. To limit the possibility of infection, readers are reminded to
update their anti-virus packages as soon as updates become available. The table
lists the viruses by ranking (number of sites affected), common virus name, type
of virus code (i.e., boot, file, macro, multi-partite, script), trends (based on
number of infections reported during the latest three months), and approximate
date first found.

Rank

Common
Name

Type
of Code

Trends

Date

1

Netsky-P

Win32 Worm

Stable

March 2004

2

Zafi-B

Win32 Worm

Stable

June 2004

3

Netsky-Z

Win32 Worm

Stable

April 2004

4

Netsky-D

Win32 Worm

Stable

March 2004

5

Netsky-B

Win32 Worm

Stable

February 2004

6

Mydoom.m

Win32 Worm

Increase

July 2004

7

Mydoom.q

Win32 Worm

Slight Decrease

August 2004

8

Bagle-AA

Win32 Worm

Slight Decrease

April 2004

9

Netsky-Q

Win32 Worm

Stable

March 2004

10

MyDoom-O

Win32 Worm

Decrease

July 2004

Top Ten Table Updated September 17, 2004

Viruses or Trojans Considered to be a High Level of
Threat

Troj/IBank-A: Sophos is warning computer users about a
Trojan horse that helps hackers break into the bank accounts of customers of
an Australian bank. The Troj/IBank-A Trojan horse is designed to steal
information from Internet customers of the National Australia Bank, which
could allow hackers to break into accounts and steal substantial amounts of
money. Although this particular Trojan horses only targets users of an
Australian bank, Sophos warns that others have been seen which affect banking
customers in other parts of the world.

The following table provides, in
alphabetical order, a list of new viruses, variations of previously encountered
viruses, and Trojans that have been discovered during the period covered by this
bulletin. This information has been compiled from the following anti-virus
vendors: Sophos, Trend Micro, Symantec, McAfee, Network Associates, Central
Command, F-Secure, Kaspersky Labs, MessageLabs, Panda Software, Computer
Associates, and The WildList Organization International. Users should keep
anti-virus software up to date and should contact their anti-virus vendors to
obtain specific information on the Trojans and Trojan variants that anti-virus
software detects.

NOTE: At times, viruses and
Trojans may contain names or content that may be considered offensive.